Re: Secure.dcom.exe

From: Sorin Victor DUDEA (sdudea_at_bitdefender.com)
Date: 08/08/03

  • Next message: Eric Chien: "Re: Secure.dcom.exe" 
    Date: Fri, 8 Aug 2003 09:25:26 +0300
To: "Lee Evans" <lee@leeevans.org>

    Hello Lee,

          That file is not malware. It is a DCOM disabler.
          It sets the key EnableDCOM from
          HKLM\Software\Microsoft\Ole\ to 'N'. By this the computer is
          immune to the RPC/DCOM exploit.

    Wednesday, August 6, 2003, 1:50:13 PM, you wrote:

    LE> Hi All,

    LE> I have found an executable called secure.dcom.exe when looking around a
    LE> customers server. They hadnt patched the server above SP4 and I assume it
    LE> has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has
    LE> been installed, but im still looking into it to see if I can spot anything
    LE> else. Netstat shows a bunch of outgoing connections to 6667 -
    LE> irc.homelien.no. Unfortunately there are no IDS or other systems on this
    LE> network segment I can use, so im looking for someway to capture this traffic
    LE> and hopefully track down some more details on the irc traffic - if anyone
    LE> can recommend a good (preferably free) traffic sniffer I can quickly install
    LE> on the host locally (win2k sp4) to decode the IRC traffic I would be
    LE> grateful.

    LE> The exe is available from http://www.leeevans.org/secure.dcom.exe - if
    LE> anyone wants a look. I'd be interested to know more about it, if anyone has
    LE> come across it before or can find out.

    LE> Regards
    LE> Lee 

    -- 
Best regards,
     Sorin Victor Dudea
     BitDefender Head of Antivirus Research
     E-mail: sdudea@bitdefender.com, sdudea@softwin.ro
     www.bitdefender.com
     www.softwin.ro
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Eric Chien: "Re: Secure.dcom.exe"

    Relevant Pages

    • Installing Exchange System Management tools..
      ... I want to install the Blackberry Enterprise Server on one of our Windows ... As requested by RIM I have installed the Exchange System Management tools on ... my current Exchange Service Pack level is at SP4 (if I ...
      (microsoft.public.exchange.admin)
    • RE: 811493 repeatedly
      ... Oct. (we are using a SUS server) In Feb. we started ... getting daily messages saying to install 811493 again. ... We have resorted to installing SP4 ... > Microsoft Windows XP Professional ...
      (microsoft.public.win2000.windows_update)
    • Re: Dell server needs windows 2000 server sp4
      ... You should be able to integrate this into your Win2k Server source files and ... create a CD which will install with the same product key: ... Dell says we need to install using Windows Server 2000 sp4. ... We called Microsoft and were told they no longer support win2k server ...
      (microsoft.public.windows.server.setup)
    • Re: W2K SP4 Hosed our PC - Need Help !!!
      ... install without IE6. ... with your assertion that Service Packs of Windows 2000 have come out to fix ... The issue in the server is a pretty esoteric thing. ... But I have told you where SP4 has the most problems. ...
      (microsoft.public.win2000.general)
    • Re: W2K Server SP2 - Any advice before I install SP4???
      ... I just finished the SP4 install yesterday. ... Shut down any 3rd party applications, ... >> As servers go, this server is the PDC and controls the Active ...
      (microsoft.public.win2000.setup_upgrade)